Capital One made learned of massive data breach from email tip-off

Capital One's data was breached some time between March and July. 106 million people had some combination of their IDs, social security, and bank account information compromised.

The bank didn't know about the hack until a member of the public emailed it to say they found the data dumped on GitHub, a popular site among web developers, the Department of Justice (DOJ) said.

It then took a further two days for the company to report the breach to the FBI.

Tip-offs like this are a common way for companies to find out about security breaches.

The DOJ has charged a former software engineer of hacking Capital One's security systems, accusing her of taking the data then posting it online.

Visit Business Insider's homepage for more stories.

Capital One was only made aware of its enormous data breach because a member of the public emailed the company after seeing the information freely available online.

The American bank announced Monday that it had been breached, affecting some 106 million people in the US and Canada. Many of those people had their personal information, social security details, and linked bank accounts compromised.

Read more: Capital One says it was hit with data breach, affecting tens of millions of credit card applications

The Department of Justice (DOJ) has accused Paige A. Thompson, a former software engineer, and charged her with a single count of computer fraud and abuse.

The DOJ said that the breach took place some time between March and July of 2019.

According to a criminal complaint, she stole data from Capital One's cloud provider and posted details of it on GitHub, a project-managing site popular among developers.

Also contained in the complaint is the detail that Capital One didn't realize it had been hacked until someone tipped it off.

According to the DOJ, an unidentified person emailed the bank on July 17, 2019, saying: “There appears to be some leaked s3 data of yours in someone's github/gist.”

“S3” refers to Amazon Web Services' cloud storage product for developers, which Capital One used to store the data that Thompson breached.

According to the complaint, Capital One contacted the DOJ two days later, on July 19, to report the breach.

Read more: Amazon's cloud was at the heart of the big Capital One hack, even though it doesn't seem to be at fault

The GitHub file in question, which contained Capital One's data, was timestamped April 21, 2019, and was linked to Thompson's name.

You can see a screenshot of the email above. The person's name and other identifying information came redacted in the DOJ's complaint, published Monday.

It is common for companies to find out about data breaches in this manner.

Capital One has an email address through which people can flag actual or potential vulnerabilities in their systems. Many other banks have channels like this.

Some of the people who email the hotline are “white hat” or “ethical” hackers, computer security specialists who report security vulnerabilities to their owners, rather than try to exploit them.

It's not clear if the person who emailed Capital One was a “white hat” hacker or somebody who chanced upon Thompson's GitHub file.

Thompson is due to appear in court on Thursday. If convicted, she faces up to five years in prison and a $250,000 fine.